Encrypt a SMB network share using Samba and an stunnel SSL connection

  • Suppose you have a network share containing accounting, payroll, or other finance information. The information is highly sensitive, and should be treated carefully.
  • Suppose that the data on the share is nothing more than a simple Microsoft Access Database file (MDB). The very second the data transfers across the network, it can be intercepted with the greatest of ease.
  • Using stunnel an SSL encrypted connection can be established, without modification to Samba.
  • Samba 2 contains support for SSL, however, that support was removed in Samba 3, siting that this form of encryption would only be supported by Samba clients, and thus worthless when serving to Windows based clients.

Install stunnel (stunnel.org) on the server:

From Source

  • edit tools/Makefile.in
  • change nogroup to nobody
  • Compile and install
./configure
make
make install

stunnel will create a new private key (stunnel.pem)

  • The SSL cert is self signed, however you can create your own SSL Cert for use with stunnel.

edit smb.conf and add an alias for the new secure server

  • /etc/samba/smb.conf:
netbios aliases = secserv

Configure stunnel on the server

FILE: stunnel.conf

;foreground = yes
cert = /usr/local/etc/stunnel/stunnel.pem

chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = /var/log/stunnel.log

[secserv]
accept   = 8139
connect  = 127.0.0.1:139

Install stunnel on the client

A Linux Client

FILE: stunnel.conf

;foreground = yes
;cert = /usr/local/etc/stunnel/stunnel.pem

chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = /var/log/stunnel.log

client = yes

[secserv]
accept   = 139
connect  = 192.168.0.102:8139

A Windows XP Client

FILE: stunnel.conf

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = stunnel.log

client = yes

[secserv]
accept   = 127.0.0.1:139
connect  = 192.168.0.102:8139

To test, or prove it works, use the smbclient command

smbclient -I 127.0.0.1 -L secserv -U devon

To connect to a samba share routed over stunnel on Windows

Disable Windows File and Printer Services

  • stunnel forwards a port from server A to server B.
  • For Windows to connect to a SMB share, it expects that share to be served over TCP/IP on port 139.
  • Windows comes with it’s own File and Printer Sharing service which will bind to port 139.
  • uninstall Windows File and Printer Sharing or disable it permanently:
sc config lanmanserver start=disabled

Connect to the share as if it was on the localhost

net use b: \\127.0.0.1\secure_share
categories: linux | ssl | samba |